Gamers do battle with hackers online

Tuesday

Mar 4, 2008 at 2:00 AM

They sit with their eyes glued to their computer screens, slightly tense and with great interest in the outcome of their efforts — though only one of the pair is aware of the other. The gamer is somewhere in New England, slaying beasts and gathering gear and money in the Massive Multi-Player Online Role Playing (MMO) game he has invested more than 80 hours in over the past year. His opposite sits at a desk in a darkened office in a subdivided warehouse on the outskirts of a large Chinese, Russian or Korean city, the windowless den about to become the scene of the crime — if what he was doing was illegal.

C.M. BOOTS-FAUBERT

They sit with their eyes glued to their computer screens, slightly tense and with great interest in the outcome of their efforts — though only one of the pair is aware of the other. The gamer is somewhere in New England, slaying beasts and gathering gear and money in the Massive Multi-Player Online Role Playing (MMO) game he has invested more than 80 hours in over the past year. His opposite sits at a desk in a darkened office in a subdivided warehouse on the outskirts of a large Chinese, Russian or Korean city, the windowless den about to become the scene of the crime — if what he was doing was illegal.

As the gamer logs off, satisfied with his evening of slaying monsters and hunting treasure, the hacker is just going to work. Quickly logging into the gamer's account, he checks the money balance, then applies a skilled eye to the gear in the gamer's safe and bags, making a quick assessment and deciding that this one is worth harvesting now.

Within half an hour, the hacker is meeting a representative from one of the major RMT Web sites — in game parlance, RMT means real-money trade — inside the game. Less than a minute later, he hands over 40 million in platinum that, as far as the RMT rep knows, is legitimately his to sell. RMT sites routinely acquire in-game money in this fashion, selling it to other players through their Web site for real-world money, despite the fact that the practice violates games' terms of service. This business is so profitable that there are people who support themselves by farming money in the games to sell to RMT sites. But the big money comes from acquiring high-end accounts through hacking.

At the speed of light, $800 in real money is transferred into an online bank account — one of dozens set up by the hacker — and 15 minutes later, an accomplice withdraws the funds from a nearby ATM. They move fast because, when the gamer discovers what has happened, the chase will begin. That account's lifespan is now numbered in hours. The call comes on his cell — the money is there. Armor and weapons are transferred to a temporary shill character, then put through a number of misleading transactions in hopes of muddying the waters long enough for the items to be converted into pieces of platinum bound for another RMT agent. And the character? It isn't easy to max-level a templar these days, so it goes right on the auction block. By this time tomorrow, somebody else will own it — and pay well for it.

In the gaming world, anyone can be a very powerful mage or a warrior able to slay monsters and win glory in battle. It is that online prowess upon which reputation and popularity are based.

Games like Final Fantasy XI, Star Wars Galaxies and Everquest2 operate under "persistent reality." Just like in the real world, there is no do-over. And that's just fine with the citizens of these fantasy worlds, but make no mistake — fantasy or not, these worlds have become economic forces in their own right, with thriving in-game economies that can rival the GNP of a small country. A skilled player can amass considerable in-game wealth and power.

In the online world, there is no tax. Your wealth-gathering potential increases by "leveling" your characters; the higher the level, the greater the skills in fighting, magic or crafting. That directly translates into more and better items, armor, weapons, and money.

Many players concentrate on completing high-level quests for reward items that can be worth millions in game money, or they target rare treasure that can be looted from a mob after it is killed. If they do not need the treasure or item for their own characters, they can sell it on the in-game auction house for considerable gain. The price for this success is measured in terms of play — dozens of hours spent just to acquire basic gaming skills and then dozens more honing these skills and gaining levels. The loss of an account or character is an emotional hit for the victims, most of whom never suspected that real-world crime could appear in their fantasy life.

Fraud on a very large scale has impacted MMOs, and none are immune to it. Criminals tend to go where the money is and, according to industry sources, that virtual economy may soon be measured in billions of real-world dollars.

At Japan-based Square Enix, parent company for Final Fantasy XI, whose player base exceeds 500,000 players worldwide, damage from hacked accounts has become so great that the company has established a procedure for players to have their accounts recovered by the company. A form from the game's Web site must be signed before a notary, and the victim must prove that they are the original owner of the account.

This process — taking days to weeks to complete — is the first admission by any company in the industry that there is a problem and the first to offer a procedure to restore hacked accounts. Most other big players in the MMO scene have yet to adopt any protocol. Getting an account back with them is a painful experience and, in some cases, simply not possible.

In the past month alone, more than 100 players have reported losing accounts to hackers in FFXI, and those are just the ones who have posted the news to chat boards. The true number is likely at least 10 times as many. Square Enix has been quick to respond, starting with an investigation that led to bans of 10,920 accounts and suspension of another 2,350 accounts pending further investigation. Not all of these accounts were involved in RMT or hacking. Some were punished for cheating in-game, using third-party automation software, or for violating the terms of service in other ways.

Square Enix also warned its player base to visit only known and established gaming sites, to avoid being infected or re-infected by key-logging applets.

A brief read of chat boards for other games reveals that they are also experiencing the bite from hackers, though companies are reluctant to admit that the problem is as large as it obviously is.

What is surprising is that hackers are using techniques previously used to obtain bank information and login data for sites such as PayPal and eBay. Why the change? Stealing money from your bank account is illegal, while stealing items from your game account is not.

The source of the problem stems from the close integration of Microsoft Office and weaknesses in the code for Microsoft Internet Explorer. Using exploits to compromise Web sites popular with gamers, the hackers insert hostile but undetectable code in these Web sites — many of which are used as reference to online game play. Gamers unwittingly infect their computers with small mini-applications (applets) that sit dormant, waiting for them to log in to a game. When that happens, the applet records their account name and password, then goes dormant again, waiting for a pre-determined time when it will upload the data to be used to rob yet another account.

The mechanics are simple, but the process still catches most players by surprise: They have anti-virus and anti-phishing software on their computer, they update definition files several times a week, and they are careful not to go to sites that they are not familiar with, so how could it happen to them? The problem is that Internet Explorer is so deeply embedded in the operating system that keeping track of what it is doing is not always feasible for anti-virus and firewall software.

There are steps that can be taken to prevent this, starting with the browser. Alternatives to Internet Explorer include Netscape (browser.netscape.com) and Firefox (www.mozilla.org). Because they are not integrated into the operating system, these browsers will not blindly execute hostile code planted on Web sites, and so foil the compromise before it begins.

If changing browsers is not an option, or you want to continue to use IE, there are steps you can take to lessen the likelihood of being hacked. First, turn off Java Scripting in the browser configuration menu and disable Java in the settings under the Advanced tab. Finally, under Settings > Programs, change all of the programs listed there so that they are not Microsoft Outlook or Outlook Express. That way, the Web browser cannot pass commands to them. If you use Outlook or Outlook Express as your e-mail program, you will still be able to run it by double-clicking its icon, but IE may no longer be able to pass the loading commands for the hostile applet to them, making it much more difficult for a hacker to infect your computer.

Computer users should also maintain the definition files on their anti-virus programs and routinely run a utility to check for the existence of a key logger prior to logging into games and online bank and auction accounts. Changing passwords for online game and financial accounts at least once a month is sound security, with passwords containing both numbers and letters — a mixture of upper- and lower-case — being optimal. Just be sure to check for a key logger before changing passwords.

Also, a large number of free security utilities are available on the Web and in stores. One of the more effective multi-function security applications is Win Patrol 2007, which has a full suite of spyware, adware, anti-phishing, and background-process detectors and can remove these along with any key-loggers. Best of all, Win Patrol 2007 has a free, downloadable version. It is also wise to check for updates and patches to your operating system and Web browser, a chore that can be automated by configuring Windows Update to do it for you once a week.

Fortunately, the tools needed to be safe from violation in the online world are freely available. Just be sure to use them often, because the next big exploit is likely already out there — we just haven't heard of it yet.

C.M. Boots-Faubert is a freelance writer who lives in Falmouth. He can be reached at chris@boots-faubert.com.